Apple firmware: Leaks, links, and locking it all down

White HomePod on a dresser
White HomePod on a dresser (Image credit: Apple)

I'm genuinely more excited for Apple's September 12, 2017 special event than I have been for any event since the iPhone 6. Still, Apple has now had two leaks leading up to the event, widely expected to include the announcement of iPhone 8, iPhone 8 Plus, and iPhone X, Apple Watch LTE, and Apple TV 4K HDR. The first one was an accident. The second one, not so much.

John Gruber, writing for Daring Fireball

Again: these URLs were not discovered by guessing the URLs, or because they were published at obvious URLs prematurely. Someone who works at Apple emailed these URLs to 9to5Mac and MacRumors — possibly without even knowing just how much information could be gleaned from these builds compared to the last developer beta builds. UPDATE: Let me clarify that sentence: whoever leaked these URLs knew it would be an incredibly damaging leak, if for no other reason than that they included the IPSW image for iPhone D22. The list of URLs they leaked included every device. The least amount of heretofore unknown information that was going to come out of this leak was massive, and whoever leaked it knew that. What I'm saying is they quite possibly didn't even know just how many little things, things I won't mention here for the sake of DF readers who are trying to stay spoiler-free for Tuesday's event, were spoiled by this leak.That person should be ashamed of themselves, and should be very worried when their phone next rings.

My understanding is the same as John's: The leak was internal and malicious. And it was incredibly damaging to the company — a company that relies on surprise as a key way to generate marketing buzz and maintain excitement in the media. It's just about impossible to believe anyone in a position to leak those links wouldn't know that.

From Apple's perspective that means, come Tuesday afternoon, instead of hearing about the announcements and the surprises, we'll be hearing about how the leaks were confirmed and, from those in the media who continually mistake cynicism for intelligence, how "boring" Apple has become. (Imagine a movie critic reading a leaked plot to "The Last Jedi" and then claiming the movie lacked surprises...)

As hard as it is to believe someone inside Apple would leak the firmware, it just as hard to believe such a leak was possible. The firmware was live on the internet, protected only through obscured URL. That means, when the URLs were leaked, anyone could access the firmware. No VPN, login credentials, or other security checks required.

It's absolutely the fault of the leaker but my guess is that the days of security through obscurity are done and Apple locks down the firmware delivery process asap.

Update: Great point by Will Strafach on Twitter: Convenience is the enemy of security.

See more

Same with the HomePod firmware leak from last month. That leak wasn't malicious. It was the result of a mistake, at least at first. Someone copied an un-flagged version of the file to a public rather than a private directory.

It's not at all hard to believe that mistakes happen. It's still hard to believe that those kinds of mistakes can happen, though.

My guess is that Apple locks down that process asap as well, with both digital and human checks and safeguards.

I'm sure most people at Apple are too apoplectic to look for it right now, but if there's a silver lining for them in all this, that's it. Legacy has hellacious inertia and old processes don't die easily. Often, people are too busy to even stop and think about improving things that currently get the job done, even if imperfectly.

Then something like this happens, and top to bottom, everyone's will becomes bent on making sure it doesn't happen again.

Update: I've got no beef with leaks or the coverage thereof. But the world is nuanced and there are multiple perspectives and truths. Leaks provide considerable attention for websites that cover Apple, including iMore. They also inform customers who may be considering whatever products are about to be released. From Apple's perspective, though, they're damaging. They cost sales [on current devices], depress marketing, and the security enhancements that follow make it harder for many to do their jobs. That, in turn, can affect the next generation of products.

Update 2: There's a narrative going around that claims these were "controlled leaks" or "publicity stunts" from Apple. No, they weren't. This is not the kind of publicity the company wants or needs. Apple lives for the big reveal at the big event on the big stage. You can love or leave the leaks, whatever suits you. But don't think for a minute Apple wanted them or is anything other than extremely frustrated by them.

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • I agree. But, like you, I am super excited to see the "actual" new products in real life, on stage and demoed.
  • Excellent commentary!
  • I would suggest to Apple two changes to their protocol: 1) don’t fire anyone in the few weeks leading up to a big release, and/or 2) at a previous employer, HR would let the IT team (I was the system admin) know ahead of time when a person’s access should be turned off before actually firing them and then turned off access while they were at HR office. That way they can’t go back to their desk and wreak havoc on a Friday afternoon like this one did.
  • Sound advice, but this is almost certainly in practice at Apple already. Highly doubt the leaker is a disgruntled former employee, for various reasons.
  • You almost wonder if its the result of no firings? Cause god knows, if this happened under Jobs, you feel like even if its a mistake, he'd put the fear into entire departments in retaliation. Tim, I could see understanding mistakes are made and reminding employees very strongly against leaks. But in this situation? Sheesh. Jobs would probably have fired the entire department.
  • This is great commentary but the reality is... everyone has stuff that leaks. Apple is not immune. It has happened before and will happen again in some way, shape or form. It's the nature of the beast. The only thing Apple can do is change their procedures and HOPE it doesn't happen in the exact same way. I mean what did the leaks REALLY confirm? All the stuff that was already rumored/leaked anyway. Were there any genuine surprises for those who were already following the rumors/leaks?
  • This is an excellent point. The leak was just a confirmation of most everything that had already previously leaked.
  • You're missing the forest for the trees. It's the confirmation that counts! It's like saying, "we had talked about getting married, and I had a suspicion my fiancé was going to get me an engagement ring for Christmas, so it wasn't a big deal when I accidentally found the receipt for the ring before he gave it to me."
  • I don't think so. If there was one speculative piece of information, then yes, but since multiple sources were leaking and disclosing the same information there wasn't even need for further confirmation. It's like if a person walks into your house and says it's really windy outside. Then another person walks in and says the same thing, and then another, yet, the only way that you will believe all of them is for you to go outside and check it. There was no further corroboration needed, therefore nothing new or damaging came from this leak.
  • Well regardless, I’m still quite excited for the event. Perhaps more so now, having a sense of what Apple has in store. The new phone sounds absolutely terrific, not to mention all the other things we’re expected to see. That said, I hope this is an anomaly. I don’t think this is particularly damaging to Apple. However leaks of this magnitude can’t and won’t continue.
  • Good thing Cook doubled down on secrecy.
  • Article seems to have a mixed message to me. I completely understand what's written... until the "Update". You make a legitimate case against corporate leaks, and in this case Apple, but then "update" the article to write you have no "beef" with leaks or coverage of leaks and point to the fact that leaks provide considerable attention for websites, like iMore. The next sentence suggests that leaks are beneficial to providing information to consumers. Not sure what materially changed to create an "update" when this piece was initially penned, but are you for leaks or against them?
  • Such a bummer that all this leaked as I enjoy the moment when stuff is unveiled. But we still don't know for sure if apple watch will get new form factor and what the sides and back if iPhone X will look like. Also how thick it is. Also not much info about that function area at the bottom of the screen. Very interested to see what they do w that
  • Personally, I'm happy to know all about the new iPhones. Could care less about feeling bad for poor Apple employees or Apple that their hard work got leaked earlier. Also, it's weird to see Gruber and Rene feel so bad about this (or may be not that's what they do)
  • I think "incredibly damaging" is an exaggeration. This leak is still seen as one of the usual rumors by many people. The actual event will be the relevant news story and not the leaks.
  • We're assuming that Apple didn't orchestrate the leak to build up interest in the forthcoming iPhones, especially as we've just seen the announcements of the latest and greatest from Samsung, LG et al. After all governments do it all the time.
  • I have often believed that Apple, like other vendors, strategically leaks information, especially when it comes to lowering expectations. However, this leak is way over the top, particularly for its breadth and the nature of the leak. That said, there is probably no way to avoid it, and with the massive supply chain they now must manage, it will become a fact of life. If I were Apple, I'd be much more concerned about the facial recognition acceptance, especially with so many sites still saying they are in a race with Samsung to get an under glass touch ID solution in place. The iPhone X could potentially be a one-off device between solid touch ID systems - an orphan if you will.
  • I'm of the same opinion regarding Face ID. It feels like it was a "plan B" after Apple wasn't able to get fingerprint scanner to work.
  • "They cost sales [on current devices],.." Seriously? Is there anyone who is even remotely familiar with apple who did not know a new iphone was coming this September? I recall reading articles during the summer on many tech sites suggesting people should hold off to see what's new from apple in September before buying a current iphone.
  • It is funny that we all knew what Note 8 will look like, at least somewhat. And with knowing that sales are still through the roof. This could be a known tactic by the company to create a buzz over the product; start the conversation that leads to hype and excitement of this new phone, which everyone will most likely get just because they were going to anyway. However, now that they have created more noise about it beforehand, other people who were not interested going to buy it as well.
  • I couldn't care less about the leaks. Nor do I care about the "surprise" of the event. All these leaks did was confirm some of the rumors that have been floating for a while. The mock images are cool but when I see the devices officially on stage, that is when I'll make my decision. Leaks or no leaks, I don't see Apples sales being affected at all by this. Sure, from Apples standpoint the fact that this could happen is problematic. But they will still sell hand over fist this fall and those leaks aren't going to affect that at all.
  • Whoever leaked these URLs should be prosecuted. This is beyond rumor reporting and is theft of intellectual property.
  • reporting a public url is theft? It's 2017. If Apple feels like such content isn't worth securing, then why is there so much angst over this?
  • Double thumbs up for your comment!
  • If that email was sent from an Apple company email account then that person(s) already been contacted and sacked. I hope Apple totally locks down everything now. Ifor one hate it when these leaks happen as it ruins the surprise of the keynote and in future will NOT be online the week before a keynote from now on. The person who did this is scum and doesnt deserve to work for Apple and having understood what's been written about I highly suspect its someone in the OS development team and I hope someone on stage tomorrow says something about this and what they are doing about it!
  • A bit harsh no? It wasn't taken from Apple's private network. It was public. Security by obscurity is not security. It's garbage.
  • "They cost sales [on current devices], depress marketing, and the security enhancements that follow make it harder for many to do their jobs. " Sounds like iMore is more upset about the leaks than Apple. Can you provide a source for you comment that will cost sales? Those who knows about the leaks already know about the iPhone X, and those who don't know about a new iPhone (hopefully) this month will continue with their lives and buy a current phone.
  • I still think apple leaked it on purpose.
  • I'm hoping that when the 9to5Mac and MacRumors reps show up at the event their invitations are revoked and they are denied entrance to the event. Leo Laporte has been banned since he streamed a keynote address from his iPad years ago. More of these so-called tech journalists should be banned from Apple events. They are not Apple's friends, especially 9to5Mac and MacRumors whose comment sections have more Apple haters than supporters.
  • Seems to me if they are still allowed into the event, something else is going on here. I really really doubt there is any collusion, but allowing them in means they "want" them there. Anyway, most of this is a little over the top, so let's let tomorrow come and all get new phones.
  • Do you really want all tech journalists at the event to be Apple's friends? They might as well fill audience with only employees if they just want cheerleaders.
  • These two tech sites published proprietary documentation that was damaging to the company. They should be banned from this and future Apple events.
  • I am still excited. half a day away at this point. I hate it that the leaks got out because I know Apple loves secrets but it didn't slow down my excitement. I still wanna see a fully finished High Res image of the iPhone 10. I am buying on the day the are available.
  • Interstingly, now that Apple seems to have solved the hardware leaks problem (almost no credible / substantial parts/components/designs have been leaked, neither of the new iPads, iPhones, Apple Watch, AirPods, HomePod this year!), they have a software leak problem.